back to article Apple, FBI: YES we're, er, looking into the NAKED CELEBRITY PICS. Aren't you?

The Federal Bureau of Investigation and Apple are examining the theft of a large cache of naked celebrity photos, thought by many to have been snaffled from the fruity firm's iCloud backup silos. As El Reg reported yesterday, the photos depict Jennifer Lawrence, Kate Upton and around 100 others are thought to have been stolen …

Paris Hilton

If you don't want any naked pix

of yourself (celebrity or not) on the internet, just don't take any.

There, fixed.

28
11
Silver badge

Re: If you don't want any naked pix

Just do not upload them. Yes, I know - a bit difficult with an iThing which will sync everything to the Apple cloud regardless of do you want it or not. Maybe the Chinese got a point there on the security aspects.

7
3
Stop

Re: If you don't want any naked pix

Not wishing to pop your anti-Apple bubble, but you do actually need to set that sync up. I know, because I have such a device and have not configured the sync process. In fact, I checked all the settings and they were off by default so I didn't have to opt out either.

More facts, less mindless bleating please.

15
4
Silver badge

Re: If you don't want any naked pix

@andreas koch

No, just don't take them with your phone. Use a standard digital camera and upload them straight-away to your computer and then delete them from the phone.

Even if you have no cloud sync setup on your device, scores or smart phones are lost and stolen daily, not to mention the potential for friend/parent or - much worse - child to pickup your phone and find the nudie-snaps.

I feel genuinely sorry for these people as it is a gross breach of privacy but in this day you simply must understand the if you want to use it.

4
1
Anonymous Coward

Re: If you don't want any naked pix

But surely pics of naked celebs would not be in the celebs cloud storage but in the account of the person who took the photos.... Unless celebs give their phones to take naked photos of themselves... Which given the narcisisstic nature of some celebs is totally possible I suppose.

5
1
Stop

Re: If you don't want any naked pix

iCloud is cloud service done right. It stores your music, photos, apps, calendars, documents and more

So if iCloud has been open to attack ANYONE could have had ANYTHING taken.

This is MUCH bigger than 100 celebs with some dodgy pics. Apple need to fess up, and not doing is is grossly irresponsible.

5
1

Re: but in the account of the person who took the photos

The way I interpret the reporting elsewhere, at least some of the photos were "professionally taken" so that is a possible leak point. Even at that, I expect the celebs have copies of them in their "private" portfolios. So where the loss of custody happened is not clear.

Also, while weak passwords are usually the culprit, remember that isn't necessarily the weakest link. Hackers might also have trawled the password reset questions, and given the obsessions with celebrities, may have cracked those instead after searching the internet for the answers.

2
1

Re: If you don't want any naked pix

The real tragedy in all this is not that people have seen those celebs in the buff, but that they have done so without paying the usual fee. Hacking someone's account, or even many people's accounts, is bad enough, but infringing a celeb's copyright on their bootay is unforgiveable.

7
1
Paris Hilton

Re: If you don't want any naked pix

> would not be in the celebs cloud storage but in the account of the person who took the photos

Congrats on sleeping thru the "selfie" revolution, most have not been that lucky...

Paris, coz she is probably fuming for not being hacked..

4
0
Thumb Up

@dan1980: - Re: If you don't want any naked pix

There's no need to delete them from the phone if I used a standard digital camera . . . Cough. I'm sure that's not what you wanted to say.

I go by the rule that if I don't want it to be known or seen, I'll not tell or show it. Specially if it can be connected to me.

. . . and in my book putting it into any cloud as a usable file is showing. If I really, really need to back up to a cloud service, then the file is locally encrypted first and then uploaded. Encryption by the service is not acceptable as far as privacy is concerned.

1
0

Re: If you don't want any naked pix

Can we stick to facts and not hyperbole? (Isn't that the job of Reg hacks?)

iDevices automatically upload stuff to the fluff automatically without user say-so just as much as Android or anything-else-a-droid does. You can turn all that auto cloud s*it on if it floats your boat, or leave it all off. (iOS photostream is, for one, an opt-in choice, not an opt-out one). Your choice of pratform is pretty much irrelevant in this context - whatever your bozophone can do in this regard, so can mine if I want it to (or not). Who cares?

This yawngasm inducing fanboi/fandroid shit is sooooo last conversation. Move along, citizens, f*ck all to see here.

0
0
Anonymous Coward

Apple does not limit the number of password entry attempts users could can make

WTF?!?

34
0
Silver badge

Re: Apple does not limit the number of password entry attempts users could can make

And remember, a great many Apple IDs have a home address, phone numbers and CC information all dutifully filled in from the original purchase of the device at the online store or so the app store 'just works'.

It's a disaster waiting to happen. Oh it just has. Again.

26
1
Silver badge
Mushroom

Re: Apple does not limit the number of password entry attempts users could can make

I frankly think we should have more of these disasters.

Makes ISIS, Ebola, the resurgent Recession, and the NATO-embiggening show in the ex-Soviet countryside that we need to fight because of reasonsmoneyed neocon interests look tame in comparison.

As El Reg reported yesterday, the photos depict Jennifer Lawrence, Kate Upton, Ariana Grande

Woah, I nearly misread this as photos of decrepit. I was worried of getting older fast.

6
10

Re: Apple does not limit the number of password entry attempts users could can make

Well.. "Password" is a long word, so there could be typos.

4
0
Silver badge

Re: Apple does not limit the number of password entry attempts users could can make

@Destroy All Monsters

Indeed, it will be a welcome distraction helping the media to continue keeping our attention from the fact that a lot of the "Little Green Men" on one east side of the Ukrainian conflict are speaking Serbian and their equivalent "Little Green Men" on the west side of the conflict are speaking Croatian and they are replaying the same conflict for the 3rd time in the last century. Score so far is 1:1, popcorn to observe the outcome of the third one. Disclaimer - I have seen some of them myself this summer taking a short stop in one of the few remaining Eu cities that still has flights to Ростов на Дону.

It has been extremely entertaining watching the Western mainstream media go to extreme length on ensuring that this "entertaining" detail is not aired in any "news". In fact they have been better at that than previously (during the Kosovo war the video footage often contained the Chechen, Syrian and Lybian "volunteers"). After all, if you air it will become clear what will be next (NATO bombing) and how long it will last (15 years and counting).

It is lovely when we have a "disaster" like that - it helps keep the attention of the sheeple from what is really happening out there. Bring it on, let's have more celebutard leaks.

3
8
Megaphone

Re: Apple does not limit the number of password entry attempts users could can make

Apple is a toxic hellstew of vulnerabilities. FACT.

Karma is a BITCH

10
7

Re: Apple does not limit the number of password entry attempts users could can make

"Apple does not limit the number of password entry attempts users could can make

WTF?!?"

And there ends any pretence that weak security is a Microsoft problem.

Someone, somewhere, inside Apple took a decision to effectively remove security to enable a feature. That person doesn't have any business being near technology, at any vendor, and should be looking for work more suited to their talents.

11
0
Gold badge

Re: Apple does not limit the number of password entry attempts users could can make

Apple does not limit the number of password entry attempts users could can make

WTF?!?

That is the case in many online services where they don't even implement rate limiting or progressive incremental retry delay on failure, but the risks with an Apple account are much bigger because it's basically SSO - one password to rule it all. /Not/ good..

7
0

Re: looking for work more suited to their talents.

You don't apply for that kind of work. The State assigns it to you after they've found and processed you. They even give you spiffy new clothes to wear.

Well, they use to. I hear you can't even get that kind of work that way any more.

0
0
Silver badge
Facepalm

Re: Apple does not limit the number of password entry attempts users could can make

@Dan 55

>And remember, a great many Apple IDs have a home address, phone numbers and CC information all dutifully filled in from the original purchase of the device at the online store or so the app store 'just works'.

As much as I like to dish Apple, you would be able to see the tel and address, the latter you can find out online, BTW, as for CC info ? Are you nuts ? you can only see the last 3 or 4 digits of the CC, just like on receipts ... ok, they could use the account to purchase stuff in the app store, but they would probably get caught doing that.

So, yeah, they might have her cell phone, what you gonna do, call her?

"Hello, this is Dan 55, I hacked into your iCloud account and got naughty pics of you ..."

0
0

"...it is not your fault if you are using bad passwords because you are celebrities, not nerds".

That's not how security works. "Nerds" may elect to use full-disk encryption or some other less-used/more-complex security, true. But *everyone* needs to use secure passwords. At least for stuff they care to keep secure. It's not a complex concept, really.

Speaking of security: Apple doesn't have brute-force mitigation in place...? Excuse me while I clean the floor before I ROFLOL... :-)

19
0
Silver badge

>But *everyone* needs to use secure passwords. At least for stuff they care to keep secure. It's not a complex concept, really.

Not a tricky concept, but a PITA in practice. Such is life! Some people advocate the use of password managers, though only last month The Reg reported of a security failure in a popular example of the breed.

Personally, I use the tiered approach, so might reuse the same password across low value sites (seldom-visited forums, for example) whereas email and banking sites get complicated (non-dictionary, UPPER lower case, !"£$, numbers, mixed up) passwords.

3
1
Silver badge

"Not a tricky concept, but a PITA in practice. Such is life!"

What?!??!?

First you tell me I can't use my birthday as my PIN and then you tell me I can't even write in on my card! Now I've got to choose another PIN for my credit card. Sheesh.

3
0
Anonymous Coward

@RIBrsiq

Apple don't need it. Everyone knows Apples are absolutely immune to hackers and viruses so you don't need security.

Clearly the iCloud must have been running W1nbLowz.

9
1
Silver badge

Long passwords are easy

...as long as you stick to words, and use more than one.

I used a similar scheme to the one you describe, and then I read this (posted by another El Reg forum user a few months ago):

http://xkcd.com/936/

I'm not ashamed to say I was embarrassed by this revelation, and have started to apply the principles to my passwords. Unfortunately a lot of sites insist on relatively short passwords.

5
0
Silver badge

Re: Long passwords are easy

"Unfortunately a lot of sites insist on relatively short passwords."

Additionally a lot of sites also insist on the mixed use of upper/lower case and numbers.

3
0

Re: Long passwords are easy

I just rest an older password om XXXXX and found that the "upgraded" security would not let me use anything other than alphanumeric - no special characters allowed! Since this was one of my "low risk" passwords, it is not critical, but I am glad I don't use this particular XXXXX fro anything critical.

0
0
Anonymous Coward

Isn't that what makes their products so intuitive to use?

Once you buy into the 'Apple' ecosystem you TRUST them to do it all for you. You'll never get a viral attack but you'll find your naked arse plastered all over the internet though. Unlimited number of password attempts to access iCloud? WTF! I'd rather use antivirus software and take my chances with a virus/worm attack on a Windows/Linux PC.

9
2
Silver badge

Re: Isn't that what makes their products so intuitive to use?

On the other hand, most cloud services don't have limits, or the limits are large. Some may slow down the retries if they hit a certain number, or block an IP address for a few hours. Or require email verification (probably the best method), if a certain number of attempts are made.

If they locked the account every time a few wrong attempts were registered, many users would spend much of the day re-enabling their account - okay, they would then see that they are under attack and they might change their password, or enable second factor authentication.

Brute forcing attempts are probably something most cloud services have to put up with every day. How would push email work, if your account is getting locked every 15 minutes?

There needs to be a replacement for passwords. I agree unlimited attempts is wrong, but so is simply locking the account.

3
5

Re: Isn't that what makes their products so intuitive to use?

There's a lot that can be done to make brute-force attacks useless before locking an account. Wait timers are good and simple. A lousy one minute delay between attempts would completely kill a brute force attack, while it would be just an inconvenience to the user. So:

0- Enforce password complexity. Should be simple when you already know everything about your user: "No, you cannot use that password because it was the name of your 3rd grade teacher's pet gerbil"... ;)

1- Start with a one second wait and double it with every failure. Cap at 128 seconds or something, to keep things sane. Else you'll very quickly effectively lock the account.

2- Lock the account only when hundreds of attempts are made in a single day or some such.

The details will vary and some fine-tuning will definitely be required based on the type of data, users, actual usage experience and whatever other attack vectors might exist (brute force attacks vs. denial of service, for example), but you see the basics. Not complex.

10
0
Silver badge

Re: Isn't that what makes their products so intuitive to use?

@RIBrsiq

In other words, apply the same 'common-sense' approach that has been used for everything from web services to home routers in the past.

"Not complex."

Exactly.

3
0
Anonymous Coward

Re: Isn't that what makes their products so intuitive to use?

This should be achieved at the hardware level not the application. Would like to see your wait code that doesn't use up server resource ie. holding connections, as you can easily cause your own DOS attack and run out of resources.

0
0

@big_D

I heard of a scheme which used a minimum wait time of about 0.5s (assumed the fastest anyone could type a reasonable password) and doubling that for every failed attempt.

Does anyone know if this is in use anywhere?

0
0

Re: @big_D

Used extensively on Lotus Notes logins I believe.

0
0
Anonymous Coward

Re: Isn't that what makes their products so intuitive to use?

2- Lock the account only when hundreds of attempts are made in a single day or some such.

Omg i sure hope they do that one, it will give me great pleasure to lock some itards out of their accounts for hours and hours!!!

0
0
Silver badge

From what I read, it's not pictures that were just found in a day; some of these had been deleted by their owners long ago. It's a whole archive assembled over the years that just became public. So the hack is not recent.

5
2

Not necessarily. It's entirely possible pictures aren't actually deleted from "cloud services" when a user marks them for deletion.

6
0

More involved than article suggests.

So far we know that many of the photos were taken on a variety of devices, including 2010 era blackberries, android, and iOS devices.

While this could be a cloud service issue, the time frames involved as well as the diversity of devices suggest that this is much deeper than that.

A Hollywood based IT service firm go out of business recently?

Someone wanting to show some of the goods regarding those NSA nude photo exchanges snowden was talking about?

Whatever happened, I hope it doesn't devolve into platform bickering and thee we do end up getting a straight answer about it so we can learn from it.

Karl P

8
0
Silver badge

Re: More involved than article suggests.

@karlp

However much this actually relates to Apple's iCloud, one can hope that the attention it has drawn to the password inadequacies prompts an improvement.

I am all for software/service vendors giving users choice and treating them like adults but when it comes to security in this modern age there isn't much room for compromise.

0
0
Anonymous Coward

Re: More involved than article suggests.

If you look at the pictures (and I'm not recommending you do), you'll see that many of them are taken in a mirror, with the smartphone clearly visible. In most of the ones I've seen, the phone was NOT an iPhone.

That doesn't rule out iCloud, of course - the slebs in question could have sent the pictures to iPhone users - but if many of these pics were taken on Android phones it's not entirely impossible that some Google+ hackery is going on as well...

2
0

Re: More involved than article suggests.

Or that said users were syncing their phones with a Mac/PC with iTunes, and that itself was 'backing up' to iCloud - or a similar setup where iCloud was the last step in the line.

IE I set up a system where a user wants to show their pictures off, so they transfer the images to their computer, they work on the images on the computer, and the finished images are sync'd with iCloud so they can show them off on the tablet (as it autosyncs to the camera roll I think - I forget the details, but it worked, that's the main thing).

So they could be taking the pics with a point and shoot camera if they want, but if they end up in the default photos library, and iCloud sync is switched on, then they're vulnerable to iCloud hackery.

So someone using a Blackberry, syncing the photos to a default photo locale, which is the same place iCloud syncs from, and bosh, it's in iCloud.

Still not seen huge details on how the hack was performed - have I skim read too much? Was it really a bruteforce on the API? Seems too easy...

Steven R

3
1

Re: More involved than article suggests.

Time frames and variety of devices could be irrelevant. Pictures could have been taken on the BB, moved to a computer, then backed up into iCloud because it was convenient. Hack the iCloud account and voila!

1
1
Silver badge

In other news...

Rhianna was said to be severely embarrassed after photos were stolen from her iCloud account and published on websites purportedly showing her fully clothed.

18
0
Anonymous Coward

According to this morning's Metro

There's a JLaw sex tape too? Christmas has come early!

2
0

This post has been deleted by its author

I like how the FBI get involved when it's someone famous that has their photos nicked.

See title.

6
0

Re: I like how the FBI get involved when it's someone famous that has their photos nicked.

FBI agent A: Seen it. Seen it. Seen it. Woooo, that's a new one.

FBI agent B: That photo was uploaded two days ago. Please try to keep up with latest developments.

Seriously though. Would the FBI get involved if these were accounts of "ordinary" people that was hacked??

6
0
Happy

Re: I like how the FBI get involved when it's someone famous that has their photos nicked.

They should call NSA and ask to see them in real time as they're uploaded.

2
0
Anonymous Coward

Re: I like how the FBI get involved when it's someone famous that has their photos nicked.

Only if they are really hot

0
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018